Posted
by
Zonk
on Friday November 30, 2007 @08:45AM
from the you-have-laboured-to-produce-a-biologic dept.

Bergkamp10 writes "Australia's University of Technology in Queensland has created a groundbreaking new system that can detect invisible intruders on wireless LANs. Wireless networks have been almost impossible to thoroughly secure as they possess no clearly defined boundaries, instead they are defined by the quality and strength of the receiving antenna. QUT Information Security Institute researcher Dr Jason Smith has invented a new system to detect eavesdropping on unencrypted networks or active hijackings of computer sessions when a legitimate user who is logged onto the network leaves the connection. Smith has created a series of monitoring techniques that when used together can detect both attackers and configuration mistakes in network devices."

I don't know about that. I use WPA-PSK security on my WLAN, and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

and I regularly monitor my network using ordinary means (logs, IDS, etc.) and I haven't seen any evidence of intruders, invisible or otherwise. I suppose this is one more thing I could add to my arsenal, but how many with security turned on really have trouble with this?

If the intruders were invisible, how would you see them in logs and IDS? They're invisible. Passive monitoring won't show up in any logs. I know, because I do it sometimes as part of my security service to my customers. You can break into a WEP-encrypted moderate-traffic wireless network without sending a single packet. Once you're in, you can capture all traffic on that network and save it, again, without sending a single packet.
WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own.

Using the Storm botnet as an example:

There were estimates that put the botnet as large as 50,000,000 computers. Having done WPA-PSK key cracking on a P4 1.6 laptop, it can run around 30 passphrases/second. My desktop is significantly faster, although I haven't actually tried PSK cracking on it. I'd assume probably 45 / second or more. It's not a state of the art machine, by any means. Probably about average.

So if we assume an 8 character random passphrase, (which is all a lot of people will use, so it's easier to remember) that you can type on your keyboard, (again, who's going to use Alt-Numpad combinations?) there are 96 possible keystroke characters that can make up each byte.
96^8 = 7213895789838336 possible password combinations.
Assuming 45 passphrases / second for each machine, it will take, using this botnet, just over 37 days to break that password. That's assuming the most complex password possible for 8 characters. Realistically, you can take out any special character that's not in 13375p3@k, and for most all you'd need is numbers and letters. That'll cut your time significantly.
Yes, that's only an 8 character password, which will take 96 times as long to break with only 1 extra character, but how many people, who don't use their full allotment of 63-characters of randomness, are going to use something like "password", "dave sucks", "fleabert" (name of their cat), or even "fleabert scratches too much" as their passphrase?
Now you've got standard words, which can easily be pulled from a dictionary and put together in different combinations until the passphrase is cracked. Trivial, with enough computing power. And unfortunately, the only people who have access to that kind of computing power, are (I shudder to use the word) cybercriminals.

Of course, any security can be cracked... I personally use a shared key that is significantly longer than that. adding 1 extra character over 8 makes it 96^9, but adding, say 3 extra characters makes it 6382393305518410039296 possible password combinations, which would take that same botnet like 90,000 years to crack.Oh, yeah, and bear in mind: those 50,000,000 would all have to be in range of the access point and would have to not overwhelm the access point. Even the best Cisco Aironet equipment isn't g

You only need one computer in range of the WAP to capture the encrypted traffic. Then a bot net could be used to attempt to decrypt the traffic. While doing this is significantly harder that trying to associate directly it is also totally passive, and can be run in parallel.

Using that method, you have to know something about the encrypted traffic in order to determine if you've found the plaintext or not. In any regard, you'll have to apply some analysis to figure that out and that means you'll need more processing power than what was mentioned.

You need to look into cracking WPA-PSK. You don't need to know anything about the traffic. All you need are 4 packets, one if which is a hash of the passphrase. You hash your passphrase list until you find one that matches the hash captured from the AP, and then you've got your passphrase. No extra traffic necessary.

yea, but if you set up your wireless network with a specific set of MACs and only allow those macs to log in, keep all of your machines on so someone can't hijack the mac, and disable logins to your router from anything but one of those macs, they won't even be able to connect even after they crack your password unless they can flood your router or otherwise break it. Very few people can do this.If you augment this with weekly password changes and the strongest possible password, they aren't getting in unle

>>yea, but if you set up your wireless network with a specific set of MACs and only allow those macs to log in, keep all of your machines on so someone can't hijack the mac, and disable logins to your router from anything but one of those macs, they won't even be able to connect even after they crack your password unless they can flood your router or otherwise break it. Very few people can do this.or you could just change your mac. This is very easy.ifconfig eth1 hw ether newmacaddress

Thanks for laying that out. I don't know what makes this so hard for people to get/do. Come up with 3 to 5 words of something that means something to you, separate with some punctuation, and make sure it's around even only 20 characters, and it should take a million machine botnet something like 10^21 years to crack, assuming the 45/tries a second metric. eg., "IHave7FavoriteFl()wer&" should be good for something like the remaining life of the universe. (3.6*10^27 years, by my calculations)

Come up with 3 to 5 words of something that means something to you, separate with some punctuation, and make sure it's around even only 20 characters...

Exactly. Anyone who reads a decent amount should not have any trouble finding a nice long quote from a book they liked which they can remember, which is what I always recommend. If they don't read enough for that to be the case.... fuck'em they don't deserve to be secure;-)

"WPA can be cracked if someone uses a simple passphrase, and even random passphrases can be cracked without a whole lot of effort simply by renting part of a botnet, or running your own."You are assuming that WPA needs a human-configured passphrase here. Your calculations are all nice, but they refer to WPA-PSK (pre-shared key). If you use WPA with IEEE 802.1x (sometimes called WPA-"Enterprise"), a PMK (Pairwise Master Key) is generated by a AAA server *anew for every session*. I.e. as soon as someone logs

Strangely enough, from the days when I had to reinstall Win98 on several machines all the time, I have that 25 character key memorized.. that's what I use for my WPA encryption. Haven't seen anyone crack that one yet.

You have no idea what you're talking about. Ok, so you know the basics of simple wireless encryption and have used airsnort and kismet and aircrack-ng and whatever the hell else it is you wanna-be hackers kids use. Whatever. The kind of effort needed to do what you're proposing is MONSTROUS,

You, kayditty, are an asshole. Just like all the other stupid fucks in this industry, you assume that since you don't know how to do it, it cannot be done. Your kind are the most arrogant, conceited pricks on the pla

Yet again, piles upon piles of arrogance. I could be Bruce Schneier for all you know. I'm not, but my point is you're making a shitload of assumptions of my ability based on....what? Nothing. Other than my statements not agreeing with your preconceived opinions.

This is a good heuristic, but may be misleading in the case of faulty client hardware or over-active powersaving routines.But look, if you want a secure wifi, perhaps you're misunderstanding the need for wifi. Pervasive internet connections without wires is what we want. If you want to broadcast wifi, you ought to be required to provide this service to all listeners (how many times have I been to a customer site which had wifi that was locked down and inaccessible?). If you want to implement some sort of au

Because if they download kiddie pr0n, it's *MY* IP address that gets logged, and my house the FBI raids looking for said kiddie pr0n.Not worth the risk to be a good Samaritan to the neighbor's who can't afford their own internet.

No, it isn't free. It might not cost any money directly, but I'd personally factor in the cost of the possibility of dealing with the police or FBI at some point into the cost.

Anybody posting here should know better than to leave a WAP open, the amount of trouble that can be caused by somebody abusing the set up is more than sufficient to justify keeping a sound security policy. Even then it may get broken, but that's where plausible deniability comes into it.

Even then it may get broken, but that's where plausible deniability comes into it.

You always have plausible deniability, even if you don't have a access point at all. It's completely possible and quite frequent that people's computers are 0wned by viruses and trojans, and used to route anonymous traffic, send spam, and mounts scans and attacks on other machines. If securing your systems was required to give plausible deniability, millions upon millions of computer users could be subject to criminal pro

"Nothing can protect you from having to deal with the police or the FBI."

Well, not completely, but I would say not allowing people to commit crimes on your network would do something to dissuade that a little bit. And this [arstechnica.com] headline couldn't more clearly refute your claim - "Child porn case shows that an open WiFi network is no defense". From TFA -
The merits of leaving your wireless access point (WAP) ope

Well, the first thing you need to do is actually start reading the article you're using for support. From the fine article you quoted:

The FBI says it found CDs with child porn in Perez's room, the only one it searched.

Up to the time you can show how a wifi connection will make a physical CD magically show up in a room, then any argument about plausible deniability based off this case is full of it. You can't claim someone else was using your wireless connection to download child porn when you have a big st

Read even further. It was most likely his roommate who had the kiddie porn, but they still basically ruled it was his connection and his liability. With no probable cause, there is no search and seizure. Eliminate the first step and you don't need to worry about the rest. And sorry, but this IS a test case no matter what other evidence was found. Until it is overturned, the ruling stands as precedent in all other cases after it.

And this headline couldn't more clearly refute your claim - "Child porn case shows that an open WiFi network is no defense"

But the crime in that case wasn't committed over an open wireless network. The argument was that a search warrant shouldn't have been granted because of the open access point, it didn't have anything to do with plausible deniability. The guy was caught with CDs of child porn in his room, which is pretty open and shut, he was just trying to get off on a technicality about the search

The crime that caused the FBI to have probable cause WAS committed over an open wireless network - downloading child porn. They could have never searched his apartment without that evidence. In this case the person had deniable plausibility, in fact all signs pointed to his roommate being the guilty party. But that didn't stop him from being charged because it was his connection that was used. I don't know about you, but I would rather not give law enforcement probable cause to search my house, even if I ha

I'm pretty sure, though not totally confident, that "common carrier" isn't an official bureaucratic status, like something you have to apply for or be a certain type of business for. It's simply a legal category to describe a technology which indiscriminately relays information that anyone puts on it.

For example, if you operated a hobby radio repeater and someone broadcasted a bomb threat to town hall through your radio repeater, you wouldn't be liable because you're a common carrier - your technology re

ou always have plausible deniability, even if you don't have a access point at all. It's completely possible and quite frequent that people's computers are 0wned by viruses and trojans, and used to route anonymous traffic, send spam, and mounts scans and attacks on other machines. If securing your systems was required to give plausible deniability, millions upon millions of computer users could be subject to criminal prosecution right now.

Nothing can protect you from having to deal with the police or the FBI.Reducing the probability of dealing with authorities by not opening your network, does not make the resulting still non-zero -- but smaller -- probability useless.

Whether the effort required to do so is worth your time is an cost-benefit analysis left as an exercise to the reader. If you choose to decide it's not worth your time, great. But don't expect everyone else to agree with you.

Sure, I'll unsecure my wireless network for you to use. As long as you leave your front door unlocked so I can come over to your house anytime I want, make a sandwich, watch some TV, play some video games, etc.Entertainment is what we want. If you want to do entertaining things, you ought to be required to provide this service to all.

Entertainment is what we want. If you want to do entertaining things, you ought to be required to provide this service to all.

By that logic, if you buy into Maslow's heirarchy [wikipedia.org], you have an even greater responsibility to be providing food, shelter, and sex to people too. After all, we want those more than entertainment.

Let me know your address; I'll do my part by personally bringing some homeless people to you so you can help out. I'll need to know which gender you prefer, too; I wouldn't want to stretch

Ack, sorry -- I think I just tried to slam someone saying the same thing I am. I should have said "To anyone who believes this, let me know your address and I'll do my part....." Trying to be non-directed and all.

otoh, if I re-read your post incorrectly, and you do believe I should be unsecuring my wireless net, feel free to take the slam personally.:-)

No, you re-read it right. My information doesn't want to be free, and neither does my beer, television, or food. I think if you own a wireless device, you are free to share or not share as you see fit.

The description is, basically, they use the signal strength and round trip times of the signals to figure out if someone unauthorized is on your network. The downside is that, in large corporate wireless networks, I would think people tend to be pretty mobile and there won't be a reliable indicator that the odd signal from slightly too far away isn't just somebody who remembered one last thing on the way to their car. Smaller wireless networks aren't likely to care enough to spend the time it takes to tell.

It's an interesting idea, but I have a hard time seeing it become widespread.

Whislt you have somewhat of a point, the odd occasion where one may forget something and try to access the LAN at his car is an outlier to the data set. If the system notices someone from that location connecting to the network, and can either force a new authentication event requiring a local cert, or can simply shut down the AP the external person is connecting to. (Preferably shutting it down.)As an aside, the company can also have a policy explicitly forbidding access from the parking lot. If what they

That's actually a good point. I come at it from the point of view of the large companies I've worked for. To get on the corporate network via a wireless connection, you still have to authenticate to a VPN server. We have a separate wireless network that visitors from other companies can use, but it's got no connection to the corporate network. I'm sure it's not that way for every large company.

If their networks are so sensitive and secure why transmit ANYTHING over the air? This is just another way to use the illusion of security to adopt a police state. In the article they mention sending out armed guards to check on the intrusions, etc. See, they're already thinking in the right direction.

So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)?
Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation? Also, varying the signal strength and round trip time could throw this off, but even if the exact location of the attacker cannot be determined because of it, the alarm could still be raised.

So, basically, they are just triangulating every node on the network, and detecting when a node is outside a given range (outside the building?), or seems to suddenly jump to another location (session hijacking)? Would this still work if the attacker is using a directional, high-gain antenna to prevent effective triangulation?

Sounds like they're not "triangulating" - computing the DIRECTION to a station from two monitoring locations in order to identify the station's location as the third point of a triangl

I'm fairly new to all this but at a very basic level it seems to make sense.It just a more complex method of looking at the flashing lights on the modem to see if its in sync with your known wireless connections. -- Okay alot more complex than that.

I wondeer if this can be applied to other wireless systems, e.g., radio systems. If so it would be very useful

You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that? Warping of the ether?

You can detect many things, but not eavesdropping. Your little wifi card broadcasts all kinds of data, in all directions. I can listen in and say nothing. How are you going to detect that?

Your firmware might react to being associated with a network enough to eavesdrop it by also responding to low-level configuration traffic. If that happens, even if you don't send any data the firmware may respond to probes, letting the network know you're listening.

If you're truly eavesdropping you're undetectable. But do you know what the vendor put in the binary blob?

[b]Your firmware might react to being associated with a network enough to eavesdrop it by also responding to low-level configuration traffic. If that happens, even if you don't send any data the firmware may respond to probes, letting the network know you're listening.[/b]It is fairly cheap and easy to set up a listen-only client using hardware whose transmitter is easily disabled. A few minutes with a razor blade or soldering iron, and I don't need what the proprietary firmware *tries* to do. If I want an

1) hopping from one router to another is detected via traditional means2) higher than average roundtrip times are noticed via traditional means3) signal is triangulated via traditional means to put a location on a suspected signal.

A new but an obvious proceedure that someone has decided to put to paper and product. It is a nice product to notice but this is about as ground breaking as peanut butter and chocolate.

This technique doesn't appear to handle eavesdropping attacks, where the attacker records radio traffic for real-time or post-analysis.By capturing signals, unencrypted and WEP-encrypted traffic can be snooped for sensitive data.

This same technique also works against other weakly-encrypted or unencrypted protocols, provided you can get close enough to snoop. I'm thinking infrared keyboards and possibly bluetooth not to mention old-fashioned CRT-sniffing using a specially-equipped police van like you seen i

1. Secure the connection using WEP/WPA/whatever.2. SPECIFY the MAC addresses of the specific client hardware in the routing table; a whitelist will REJECT any other connection attempt (MOST routers will do this!)3. TURN OFF SSID Broadcast once you have the specified units set up; this will render the wireless network invisible to casual scanners.

I have never had a support call for hacked wireless on ANY system that I've set up using the three points listed.

Right, that keeps out amateurs and lazy hackers. Somebody that really, really wants in can still find a way eventually (except for WPA2... that hasn't been cracked yet has it?)On mine, I've also taken the steps of disabling DHCP, and setting my network subnet mask to 248 as the last octet. This leaves only 6 IP's available, exactly the number of devices on my network. A hacker would not only have to clone a MAC address, but take one of my in-use IP addresses. Not an impossible task, but a pain in the as

WEP is useless and can be cracked in less than 10 minutes using any laptop made in the last 10 years. Keep on using that WPA though.
MAC filtering is useless because anyone with Kismet can see the active MAC addresses on the network.
SSID hiding is useless because anyone with Kismet can see the active SSIDs around them.

How in the hell can anyone see invisible things ? If a passive eavesdropper is quietly capturing all packets without sending anything, you can't monitor them. It's not like there's an electrical connection to the host that you can monitor for power dips.A more effective solution, which has been employed by every ignorant security "expert" in the world is to claim that all wireless networks are insecure. Yes, Duh! Next question.

To a certain extent, all networks are vulnerable whether they're carried in t

It seems this would work great for a small office scenario with a few users, but I imagine with a larger network and things like iPhones, transmitting, connecting, and disconnecting from various distances and signal strengths "odd" round trip times would seem very difficult to reliably detect. The threshold would either result in a large number of false positives, or miss the real threats all together. It would certainly be possible to throw out something like an iPhone, but then as an attacker I could ju

Newbury Networks, among others, have used triangulation coupled with latency to 'watch' 'intruders' on networks.Businesses that don't put lock on their doors-- oops I mean a strong access key-- invite break-ins. It IS POSSIBLE to secure specific access points to the point where it's no longer useful to try and crack them; WPA2 with a random strong temporal, randomly-changed key (say 24hrs at most) will suffice. Instead, notebooks or stationary devices are more astute targets for the ne'er-do-wells.

We deployed Aruba wireless Access points that give you location based access 2 years ago. An Electronic fence as it were. It does not solve the problem of eavesdropping and I think encryption is the only solution to limit that type of "Hack". The paper is interseting but obvious in its arguments.

Not to flame or troll or slashvertise, but how is this new? I was a conference recently where the coolest security product on display was from http://www.airtightnetworks.net/ [airtightnetworks.net]: Their WIPS can be configured with an organization's known wireless clients (MAC address, make, HW and SW versions, etc.), and then detect systems that shouldn't be there.

According to the reseller's CTO - I had the good fortune to stop by the booth before he and the COO departed and the booth was left with only salesdroids - the syst

Now, I may not be a physicist, but I'll play one here on Slashdot.I really don't see how this can detect eavesdropping. Of course, my definition of eavesdropping is that it is a passive activity, listening if you will, but not talking.

Since this technology appears to predicated on receiving a signal from the "eavesdropper" the real world equivalent would be the eavesdropper butting into your conversation to ask you a question or to tell you something.

If a wireless NIC is in passive, promiscuous mode, it doesn't have to send any data out. It doesn't associate itself with the access point, it doesn't ask permission from the network to be there, and it doesn't need to send any response to anything. It's just "listening" and collecting packets as they go to and fro, in the open air. In order to triangulate anything, particularly based on response-time, the intruding node would have to respond, which it doesn't.
This is just another half-hearted attempt

The very best way to secure a wireless network is to make your look like less of a target than thers around you, I personally have a 13 digit WPA2 passphrase including numbers and MAC filtering, overall pretty solid. But then my neighbors have completly unlocked wireless with their routers using the default settings, anyone who would choose me over them would have to be either really bored or wanting to specifically see what i'm doing, I'm not paranoid about this but i do check my router every 2 weeks or so

So what? I didn't make you go to the link. You clicked the link yourself. That's not my problem. If you read slashdot at work and you start following links in comments THEN YOU'RE NOT AT WORK, and personally I don't think you should be doing that during work time as you're potentially a risk to your employer by visiting sites that are of questionable trust. I'd probably sack you. You're lucky that I didn't put something there that would compromise browsers and what I did alerted you to the fact that you're